summaryrefslogtreecommitdiff
path: root/sshkey.c
AgeCommit message (Collapse)Author
2019-12-30upstream: SK API and sk-helper error/PIN passingdjm@openbsd.org
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow. Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc. feedback and ok markus@ OpenBSD-Commit-ID: a1bd6b0a2421646919a0c139b8183ad76d28fb71
2019-12-14remove a bunch of ENABLE_SK #ifdefsDamien Miller
The ssh-sk-helper client API gives us a nice place to disable security key support when it is wasn't enabled at compile time, so we don't need to check everywere. Also, verification of security key signatures can remain enabled all the time - it has no additional dependencies. So sshd can accept security key pubkeys in authorized_keys, etc regardless of the host's support for dlopen, etc.
2019-12-14upstream: use ssh-sk-helper for all security key signing operationsdjm@openbsd.org
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid* requested by, feedback and ok markus@ OpenBSD-Commit-ID: 1abcd3aea9a7460eccfbf8ca154cdfa62f1dc93f
2019-11-25upstream: Add new structure for signature optionsdjm@openbsd.org
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field. with and ok markus@ OpenBSD-Commit-ID: 338a1f0e04904008836130bedb9ece4faafd4e49
2019-11-18upstream: fix a bug that prevented serialisation of ed25519-sk keysdjm@openbsd.org
OpenBSD-Commit-ID: 066682b79333159cac04fcbe03ebd9c8dcc152a9
2019-11-18upstream: fix bug that prevented certification of ed25519-sk keysdjm@openbsd.org
OpenBSD-Commit-ID: 64c8cc6f5de2cdd0ee3a81c3a9dee8d862645996
2019-11-18Move ifdef OPENSSL_HAS_ECC.Darren Tucker
Found by -Wimplicit-fallthrough: one ECC case was not inside the ifdef. ok djm@
2019-11-17upstream: remove most uses of BN_CTXdjm@openbsd.org
We weren't following the rules re BN_CTX_start/BN_CTX_end and the places we were using it didn't benefit from its use anyway. ok dtucker@ OpenBSD-Commit-ID: ea9ba6c0d2e6f6adfe00b309a8f41842fe12fc7a
2019-11-15upstream: in order to be able to figure out the number ofmarkus@openbsd.org
signatures left on a shielded key, we need to transfer the number of signatures left from the private to the public key. ok djm@ OpenBSD-Commit-ID: 8a5d0d260aeace47d372695fdae383ce9b962574
2019-11-15upstream: fix shield/unshield for xmss keys: - in ssh-agent we needmarkus@openbsd.org
to delay the call to shield until we have received key specific options. - when serializing xmss keys for shield we need to deal with all optional components (e.g. state might not be loaded). ok djm@ OpenBSD-Commit-ID: cc2db82524b209468eb176d6b4d6b9486422f41f
2019-11-14Put sshsk_sign call inside ifdef ENABLE_SK.Darren Tucker
Fixes build against OpenSSL configured without ECC.
2019-11-13upstream: enable ed25519 support; ok djmmarkus@openbsd.org
OpenBSD-Commit-ID: 1a399c5b3ef15bd8efb916110cf5a9e0b554ab7e
2019-11-13upstream: implement sshsk_ed25519_inner_sig(); ok djmmarkus@openbsd.org
OpenBSD-Commit-ID: f422d0052c6d948fe0e4b04bc961f37fdffa0910
2019-11-13upstream: rename sshsk_ecdsa_sign() to sshsk_sign(); ok djmmarkus@openbsd.org
OpenBSD-Commit-ID: 1524042e09d81e54c4470d7bfcc0194c5b46fe19
2019-11-13upstream: implement ssh-ed25519-sk verification; ok djm@markus@openbsd.org
OpenBSD-Commit-ID: 37906d93948a1e3d237c20e713d6ca8fbf7d13f6
2019-11-01conditionalise SK sign/verify on ENABLE_SKDamien Miller
Spotted by Darren and his faux-Vax
2019-11-01upstream: Refactor signing - use sshkey_sign for everything,djm@openbsd.org
including the new U2F signatures. Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that. Suggested by / ok markus@ OpenBSD-Commit-ID: d5193a03fcfa895085d91b2b83d984a9fde76c8c
2019-11-01upstream: Initial infrastructure for U2F/FIDO supportdjm@openbsd.org
Key library support: including allocation, marshalling public/private keys and certificates, signature validation. feedback & ok markus@ OpenBSD-Commit-ID: a17615ba15e0f7932ac4360cb18fc9a9544e68c7
2019-10-09upstream: fix an unreachable integer overflow similar to the XMSSdjm@openbsd.org
case, and some other NULL dereferences found by fuzzing. fix with and ok markus@ OpenBSD-Commit-ID: 0f81adbb95ef887ce586953e1cb225fa45c7a47b
2019-09-08needs time.h for --without-opensslDamien Miller
2019-09-06upstream: fixes for !WITH_OPENSSL compilation; ok dtucker@djm@openbsd.org
OpenBSD-Commit-ID: 7fd68eaa9e0f7482b5d4c7e8d740aed4770a839f
2019-09-03upstream: make get_sigtype public as sshkey_get_sigtype(); okdjm@openbsd.org
markus@ OpenBSD-Commit-ID: 01f8cdbec63350490d2249f41112c5780d1cfbb8
2019-07-16upstream: remove mostly vestigal uuencode.[ch]; moving the only uniquedjm@openbsd.org
functionality there (wrapping of base64-encoded data) to sshbuf functions; feedback and ok markus@ OpenBSD-Commit-ID: 4dba6735d88c57232f6fccec8a08bdcfea44ac4c
2019-07-15upstream: support PKCS8 as an optional format for storage ofdjm@openbsd.org
private keys, enabled via "ssh-keygen -m PKCS8" on operations that save private keys to disk. The OpenSSH native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required, as it may use a less terrible KDF (IIRC PEM uses a single round of MD5 as a KDF). adapted from patch by Jakub Jelen via bz3013; ok markus OpenBSD-Commit-ID: 027824e3bc0b1c243dc5188504526d73a55accb1
2019-07-08upstream: Remove some set but never used variables. ok daraadt@dtucker@openbsd.org
OpenBSD-Commit-ID: 824baf9c59afc66a4637017e397b9b74a41684e7
2019-06-28upstream: fix NULL deference (bzero) on errdjm@openbsd.org
=?UTF-8?q?or=20path=20added=20in=20last=20commit;=20spotted=20by=20Reynir?= =?UTF-8?q?=20Bj=C3=B6rnsson?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ok deraadt@ markus@ tb@ OpenBSD-Commit-ID: b11b084bcc551b2c630560eb08618dd501027bbd
2019-06-23upstream: fix mismatch proto/decl from key shielding change; spotteddjm@openbsd.org
via oss-fuzz OpenBSD-Commit-ID: 1ea0ba05ded2c5557507bd844cd446e5c8b5b3b7
2019-06-21upstream: Add protection for private keys at rest in RAM againstdjm@openbsd.org
speculation and memory sidechannel attacks like Spectre, Meltdown, Rowhammer and Rambleed. This change encrypts private keys when they are not in use with a symmetic key that is derived from a relatively large "prekey" consisting of random data (currently 16KB). Attackers must recover the entire prekey with high accuracy before they can attempt to decrypt the shielded private key, but the current generation of attacks have bit error rates that, when applied cumulatively to the entire prekey, make this unlikely. Implementation-wise, keys are encrypted "shielded" when loaded and then automatically and transparently unshielded when used for signatures or when being saved/serialised. Hopefully we can remove this in a few years time when computer architecture has become less unsafe. been in snaps for a bit already; thanks deraadt@ ok dtucker@ deraadt@ OpenBSD-Commit-ID: 19767213c312e46f94b303a512ef8e9218a39bd4
2019-05-20upstream: When signing certificates with an RSA key, default todjm@openbsd.org
using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH < 7.2 unless the default is overridden. Document the ability of the ssh-keygen -t flag to override the signature algorithm when signing certificates, and the new default. ok deraadt@ OpenBSD-Commit-ID: 400c9c15013978204c2cb80f294b03ae4cfc8b95
2019-05-08upstream: Wrap XMSS including in ifdef. Patch from markus atdtucker@openbsd.org
blueflash.cc, ok djm OpenBSD-Commit-ID: e3b34fc35cf12d33bde91ac03633210a3bc0f8b5
2019-01-21upstream: Make sshpkt_get_bignum2() allocate the bignum it isdjm@openbsd.org
parsing rather than make the caller do it. Saves a lot of boilerplate code. from markus@ ok djm@ OpenBSD-Commit-ID: 576bf784f9a240f5a1401f7005364e59aed3bce9
2018-10-11some more duplicated key algorithm linesDamien Miller
From Adam Eijdenberg
2018-10-11fix duplicated algorithm specification linesDamien Miller
Spotted by Adam Eijdenberg
2018-10-11upstream: typo in plain RSA algorithm counterpart names fordjm@openbsd.org
certificates; spotted by Adam Eijdenberg; ok dtucker@ OpenBSD-Commit-ID: bfcdeb6f4fc9e7607f5096574c8f118f2e709e00
2018-10-11supply callback to PEM_read_bio_PrivateKeyDamien Miller
OpenSSL 1.1.0i has changed the behaviour of their PEM APIs, so that empty passphrases are interpreted differently. This probabalistically breaks loading some keys, because the PEM format is terrible and doesn't include a proper MAC. Avoid this by providing a basic callback to avoid passing empty passphrases to OpenSSL in cases where one is required. Based on patch from Jakub Jelen in bz#2913; ok dtucker@
2018-10-09upstream: Treat all PEM_read_bio_PrivateKey() errors when a passphrasedjm@openbsd.org
is specified as "incorrect passphrase" instead of trying to choose between that and "invalid format". libcrypto can return ASN1 parsing errors rather than the expected decrypt error in certain infrequent cases when trying to decrypt/parse PEM private keys when supplied with an invalid passphrase. Report and repro recipe from Thomas Deutschmann in bz#2901 ok markus@ OpenBSD-Commit-ID: b1d4cd92395f9743f81c0d23aab2524109580870
2018-09-15Fix openssl-1.1 fallout for --without-openssl.Darren Tucker
ok djm@
2018-09-14upstream: garbage-collect moribund ssh_new_private() API.djm@openbsd.org
OpenBSD-Commit-ID: 7c05bf13b094093dfa01848a9306c82eb6e95f6c
2018-09-13adapt -portable to OpenSSL 1.1x APIDamien Miller
Polyfill missing API with replacement functions extracted from LibreSSL
2018-09-13upstream: hold our collective noses and use the openssl-1.1.x API indjm@openbsd.org
OpenSSH; feedback and ok tb@ jsing@ markus@ OpenBSD-Commit-ID: cacbcac87ce5da0d3ca7ef1b38a6f7fb349e4417
2018-09-12upstream: add sshkey_check_cert_sigtype() that checks adjm@openbsd.org
cert->signature_type against a supplied whitelist; ok markus OpenBSD-Commit-ID: caadb8073292ed7a9535e5adc067d11d356d9302
2018-09-12upstream: add cert->signature_type field and keep it in sync withdjm@openbsd.org
certificate signature wrt loading and certification operations; ok markus@ OpenBSD-Commit-ID: e8b8b9f76b66707a0cd926109c4383db8f664df3
2018-07-03upstream: some finesse to fix RSA-SHA2 certificate authenticationdjm@openbsd.org
for certs hosted in ssh-agent OpenBSD-Commit-ID: e5fd5edd726137dda2d020e1cdebc464110a010f
2018-07-03upstream: Improve strictness and control over RSA-SHA2 signaturedjm@openbsd.org
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself. In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature. Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2. Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys. feedback and ok markus@ OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
2018-03-23upstream: ssh/xmss: fix deserialize for certs; ok djm@markus@openbsd.org
OpenBSD-Commit-ID: f44c41636c16ec83502039828beaf521c057dddc
2018-03-02upstream: refactor sshkey_read() to make it a little more, err,djm@openbsd.org
readable. ok markus OpenBSD-Commit-ID: 2e9247b5762fdac3b6335dc606d3822121714c28
2018-02-26upstream: Add experimental support for PQC XMSS keys (Extendedmarkus@openbsd.org
Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok djm@ OpenBSD-Commit-ID: ef3eccb96762a5d6f135d7daeef608df7776a7ac
2018-02-16upstream: Some obvious freezero() conversions.jsing@openbsd.org
This also zeros an ed25519_pk when it was not being zeroed previously. ok djm@ dtucker@ OpenBSD-Commit-ID: 5c196a3c85c23ac0bd9b11bcadaedd90b7a2ce82
2018-02-08upstream commitjsing@openbsd.org
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards. Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github. ok deraadt@ dtucker@ OpenBSD-Commit-ID: 954f1c51b94297d0ae1f749271e184141e0cadae
2017-12-19upstream commitdjm@openbsd.org
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@ OpenBSD-Commit-ID: 735fb15bf4adc060d3bee9d047a4bcaaa81b1af9